On Mar 19, 2015, at 2:57 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
If two realms claim to be served by a server with IP address 192.0.2.23, we don't want one of these realms to be able to overwrite the key for the other. Either both keys will work for the same IP address, or someone is being dishonest, but it's important not to combine home servers in this instance just because they have the same IP and hostname
That is, hostname and port? The same IP can run multiple servers on different ports with different keys. There's no dishonesty in any of that.
No. The problem is different. Let’s say we have a proxy which uses *one* list for home servers. In that case, I can take *everyones* roaming down with a simple configuration. 1) I sign up for a roaming consortium, as example.org 2) When proxies ask for my RADIUS server information, I give them *my* certificate, and the RADIUS IP / port for example.com 3) a user logs into the proxy with example.com, and gets the example.com RADIUS server IP/port 4) the certificate presented for that IP/port is for example.org, so the example.com roaming will fail As a result, the home server TLS information *must* be kept separate for each realm. Alan DeKok.